Ask HN: Advise for a self-taught budding programmer

9 points by sdiq ↗ HN
I have been learning how to program on my own for sometime now. I have mostly been learning Java and Spring - I have some other reasons why I specifically chose these technologies. I have also been working on developing my own website that will be offering some services to clients in my home country.

On the front-end bit, I have identified Envato Market where, I think, I can find good and affordable designers. So, my first question, do we have alternatives to that?

Secondly, on hosting, what are the best practices bearing in mind the mentioned technologies above?

Thirdly, while I will not be able to afford an expert on security at this moment in time, what other options are available to me?

Thank you in advance.

9 comments

[ 3.3 ms ] story [ 27.5 ms ] thread
I advise you to learn how to spell "advice"
Thanks for that. Will sure remember to use the correct word next time.
On front-end work:

Learn basic front-end skills. You can go a long way with just bootstrap, jquery and some nicely resized stock photographs. There's plenty of nice themes around for free or only an insignificant amount of money. Consider that you'll probably be competing on this front for the most part. This and your rate.

On hosting:

A $5/month VPS running Debian is cheap and can handle a decent amount of traffic.

On security:

You don't need a security expert unless you're dealing with highly sensitive information. Follow the best practices on: https://www.owasp.org/index.php/Main_Page Remember to sanitize all user input. Remember to be extra careful when you are serving user input to other users.

Thank you very much for your help. This would certainly go a long way in helping a self-taught 'amateur' like me.
Specifically regarding user input security:

Whitelist user input where possible, do not try to blacklist known dangerous characters. There are too many conflicting rendering ideologies for HTML between Chrome, Firefox and Internet Explorer for this to be feasible. For example, a language parameter's value in a POST request to change user settings should be whitelisted to things like "en" - there is no reason to allow "%0aSet-Cookie:%20", which could cause HTTP Header Injection. Absolutely do not try to be clever and sanitize specific tags like "<script>"

• Thoroughly escape dangerous characters if they must be represented. Use a well-tested library for this, do not try to roll your own.

• Do not allow user-input for filenames, especially if the file needs to be uploaded to a privileged directory (also avoid, where possible).

OWASP is unfortunately an inconsistent guide at best. security.stackexchange and /r/netsec are better.

Security is aggressively difficult. OP, if you have any more specific security questions you're welcome to email me and I'll help you out, free of charge.

The absolute best thing you can do to help yourself with security right now as a self-taught programmer is to thoroughly familiarize yourself with:

1. The nuances of your chosen language, and

2. The best libraries for security, authentication and input handling in your chosen language and framework.

For example, if you are a Ruby programmer you should immediately know about e.g. the dangers of passing user input to send() and how Ruby's REGEX functions a bit differently than other languages. You should also know the best authentication libraries off the top of your head and make use of them instead of trying to reinvent the wheel.

On hosting, since you don't have experience managing a full linux box, you might look at https://www.webfaction.com/?aid=9281 (referral link) where they handle most of the things (system, mysql, postgresql etc) and you maintain only your application . This is a little more pricier than a vps, but a lot less time to manage it + very helpful support team !
This is what I will probably chose for the time being as I learn more about Linux and Shell.
I host several spring webapps myself on a $10/month VPS running Ubuntu 14.04 (LTS)

Some notes:

- Default MySQL install listens only on loopback interface, so isn't exposed to the network (and if it's not in your case, you can change that in my.cnf)

- IPTables/NFTables can be used to whitelist allowed network traffic beyond HTTP/HTTPS

- SSH should be limited to public-key auth, with root login disabled as well as password auth disabled (or you can use 2 step verification with Google Authenticator, which is pretty easy to set up)

One thing I'll note is that I don't have Tomcat exposed directly to the internet: it's only exposed through an NGINX reverse proxy.

Apache Tomcat is fairly easy to download and set up (you can download the .tar.gz from Apache's website, untar, and run the executable ./bin/startup.sh).

I'd be happy to answer any questions really re: Java/Spring

Thank you very much for your inputs and advice.

As yet, I haven't touched anything other than a Windows machine. I was thus wondering whether, while your suggestions are very good and that is where I would ultimately have to end up in, in the meantime, could I learn the basics in a few weeks just so as to set-up everything correctly and thereafter expend more time in learning the finer details of such a set-up? If that is not possible then I will be forced to just go with a hosting provider that handles some of these stuff - at least in the beginning as I learn "everything".